The report digs deeper into the NSA's Tailored Access Operations, noting that the agency's plans for its targets' hardware are even more aggressive than previously indicated. A document [pdf link] details different offerings for NSA "interns," who will be tasked with a variety of operations to not only compromise hardware integrity, but possibly disable or destroy it.

Potential interns are also told that research into third party computers might include plans to "remotely degrade or destroy opponent computers, routers, servers and network enabled devices by attacking the hardware." Using a program called Passionatepolka, for example, they may be asked to "remotely brick network cards." With programs like Berserkr they would implant "persistent backdoors" and "parasitic drivers". Using another piece of software called Barnfire, they would "erase the BIOS on a brand of servers that act as a backbone to many rival governments."

Despite "tailored" being one of the key words in Tailored Access Operations, the exploits used aren't necessarily targeted. Because the same holes can be exploited by criminals or other "bad guys," non-targeted persons are at risk. And because some of the exploits are by nature self-replicating (documents obtained show the NSA seeking out and deploying trojans and worms), the potential for unintentional collateral damage is always present.

In this guerilla war over data, little differentiation is made between soldiers and civilians, the Snowden documents show. Any Internet user could suffer damage to his or her data or computer. It also has the potential to create perils in the offline world as well. If, for example, a D weapon like Barnfire were to destroy or "brick" the control center of a hospital as a result of a programming error, people who don't even own a mobile phone could be affected.

The NSA doesn't do all of its own dirty work. Its haystacking efforts also take advantage of surveillance programs deployed by anyone outside of its Five Eyes partnership -- including nominally "friendly" countries like Germany. A combination of hacking and exploits allows the NSA to pursue what it calls "fourth party collections."

Some of this is along the lines of what's expected from a national intelligence service -- like the targeting of "unfriendly" countries.

In 2009, an NSA unit took notice of a data breach affecting workers at the US Department of Defense. The department traced an IP address in Asia that functioned as the command center for the attack. By the end of their detective work, the Americans succeeded not only in tracing the attack's point of origin to China, but also in tapping intelligence information from other Chinese attacks -- including data that had been stolen from the United Nations. Afterwards, NSA workers in Fort Meade continued to read over their shoulders as the Chinese secretly collected further internal UN data. "NSA is able to tap into Chinese SIGINT collection," a report on the success in 2011 stated.

But it goes further than that. Allies outside the Five Eyes partnership are not immune from the NSA's piggybacking. And the NSA goes further than simply utilizing man-in-the-middle attacks to "make copies" of anything interesting other countries' surveillance networks have picked up. The presentation lays out the NSA's use of "fourth party collections" to deploy its own exploits (called "victim stealing") or collect new exploits being deployed by other surveillance agencies.

The stuff the NSA pulls from other surveillance networks is then routed away from the agency in order to cover its tracks. Anything that might lead back to the agency is obscured, which could easily result in innocent persons or companies being targeted by irritated foreign surveillance agencies who happen to notice their networks have been accessed by others.

In technical terms, the ROC [Remote Operations Center] lays false tracks as follows: After third-party computers are infiltrated, the process of exfiltration can begin -- the act of exporting the data that has been gleaned. But the loot isn't delivered directly to ROC's IP address. Rather, it is routed to a so-called Scapegoat Target. That means that stolen information could end up on someone else's servers, making it look as though they were the perpetrators.

Before the data ends up at the Scapegoat Target, of course, the NSA intercepts and copies it using its mass surveillance infrastructure and sends it on to the ROC. But such cover-up tactics increase the risk of a controlled or uncontrolled escalation between the agencies involved.

This isn't as deep as the rabbit hole gets, however. The documents leaked by Ed Snowden also detail yet another layer of the NSA's collection-by-proxy efforts. A Q&A pulled from the NSA's internal message boards [pdf link] contains the following discussion:

Is there "fifth party" collection?

"Fourth party collection" refers to passively or actively obtaining data from some other actor's CNE [computer network exploitation] activity against a target. Has there ever been an instance of NSA obtaining information from Actor One exploiting Actor Two's CNE activity against a target that NSA, Actor One, and Actor Two all care about?

-----

Yes. There was a project that I was working last year with regard to the South Korean CNE program. While we aren't super interested in SK (things changed a bit when they started targeting us a bit more), we were interested in North Korea and SK puts a lot of resources against them.

At that point, our access to NK was next to nothing but we were able to make some inroads to the SK CNE program. We found a few instances where there were NK officials with SK implants on their boxes, so we got on the exfil points, and sucked back the data. Thats fourth party. However, some of the individuals that SK was targeting were also part of the NK CNE program. So I guess that would be the fifth party collect you were talking about. But once that started happening, we ramped up efforts to target NK ourselves (as you dont want to rely on an untrusted actor to do your work for you). But some of the work that was done there was able to help us gain access.

I know of another instance (I will be more vague because I believe there are more compartments involved and parts are probably NF) where there was an actor we were going against. We realized there was another actor that was also going against them and having great success because of a 0 day they wrote. We got the 0 day out of passive and were able to re-purpose it. Big win.

The NSA's long straw surveillance also repurposes vernacular from another arena where the war is neverending and the foes declared so dangerous that every Constitutional violation is justified. Those who are used without their knowledge as "hosts" for information gathered by the NSA's "fourth party" efforts have been given an unflattering nickname.

The unwitting victim, whose phone has been infected with a spy program, smuggles the information out of the office. The information is then retrieved remotely as the victim heads home after work. Digital spies have even adopted drug-dealer slang in referring to these unsuspecting accomplices. They are called "unwitting data mules."

When the NSA discusses its efforts with its oversight, very few details are given on the means and methods. The general attitude seems to be that if something like this occurs outside of the US, it doesn't matter. The NSA may make minimal efforts to preserve American citizens' rights, but it has absolutely no concern for anyone located outside of America's borders.

As Der Spiegel notes, the NSA is operating in a "legal vacuum." The tracks left behind by its milkshake drinking cause it no great concern. While it does make some effort to obfuscate its origins (by saddling uninvolved "data mules" with the consequences), it generally remains unconcerned about being caught in the act. There's no legal process that can truly hold the NSA accountable for its extraterritorial actions -- at least nothing that couldn't easily be deflected by one of the most powerful nations in the world.

from the do-you-fancy-a-twilightvegetable? dept

Alongside the disturbing revelations of indiscriminate, global surveillance carried out by the NSA and its Five Eyes friends, leaked documents have shown another side of modern spying: the high-tech gadgets created for the NSA's Tailored Access Operations group, discussed by Techdirt at the end of last year. As its name suggests, these are targeted operations, and with many of the serious concerns about the use of blanket surveillance removed, it is hard not to be impressed by the ingenuity of the devices. Of course, a natural question is: could the rest of us have them too? According to a detailed and fascinating article in Vice's Motherboard, the answer turns out to be "yes".

The report discusses the work of Michael Ossmann, a long-time hardware hacker. Unlike most people, he was not surprised by many of the NSA spying devices found in a 48-page catalog from the Advanced Network Technology (ANT) division, revealed by the German news magazine Der Spiegel:

Most of the document was fun for Ossmann, rather than actually revelatory. “We" -- as in the global community of radio hackers -- "already knew how to build most of this stuff,” he told me recently.

But the ANT toolkit also included another more unusual class of devices known as "radio frequency retroreflectors.” With names like NIGHTWATCH, RAGEMASTER, and SURLYSPAWN, these devices were designed to give NSA agents "the means to collect signals that otherwise would not be collectable, or would be extremely difficult to collect and process."

These devices work by reflecting back radio signals beamed at the target systems containing them. Suitable designs allow information to be transmitted to surveillance teams without the need for on-board power supplies. This means that they can be extremely small -- fitting inside a USB plug, for example. Inspired by the ANT catalog, Ossmann and a group of like-minded hackers set about creating a collection of surveillance gadgets they called the NSA Playset:

Every tool in the NSA Playset has been designed on top of open-source hardware and software so that anyone can build their own, often in no more than a few hours. Over a dozen engineers are involved in the project, Ossmann said, but anyone is invited to join and contribute their own device. The first requirement: a silly name riffing on the original NSA codename. "For example, if your project is similar to FOXACID, maybe you could call it COYOTEMETH," says the NSA Playset website. (A separate website, NSA Name Generator, is designed to help.)

As well as being open, the NSA Playset is also very low cost:

One device, dubbed TWILIGHTVEGETABLE, is a knock off of an NSA-built GSM cell phone that's designed to sniff and monitor internet traffic. The ANT catalog lists it for $15,000; the NSA Playset researchers built one using a USB flash drive, a cheap SDR [software-defined radio], and an antenna, for about $50. The most expensive device, a drone that spies on WiFi traffic called PORCUPINEMASQUERADE, costs about $600 to assemble. At Defcon, a complete NSA Playset toolkit was auctioned by the EFF for $2,250.

The article goes on to explore some of the implications of making these advanced surveillance technologies available so cheaply. As well as the obvious use for research purposes -- for example, coming up with countermeasures -- there's another interesting aspect:

the work Ossmann is doing is helping many of the government's engineers resolve a catch-22 that's emerged in the wake of the Snowden revelations: government security researchers who didn't have access to the ANT catalog when it was classified aren't legally permitted to read it or transmit it now, even though everyone else can. Arguably, that leaves the public sector at a disadvantage next to the private sector -- or to spies in, say, Beijing or Moscow.

Amongst other things, the NSA Playset is a great example of how hackers are doing the authorities a big service, by helping government experts get around stupid rules introduced without thinking through the negative consequences they would have for national security and thus public safety.

The National Security Agency has had agents in China, Germany, and South Korea working on programs that use “physical subversion” to infiltrate and compromise networks and devices, according to documents obtained by The Intercept.

The documents, leaked by NSA whistleblower Edward Snowden, also indicate that the agency has used “under cover” operatives to gain access to sensitive data and systems in the global communications industry, and that these secret agents may have even dealt with American firms. The documents describe a range of clandestine field activities that are among the agency’s “core secrets” when it comes to computer network attacks, details of which are apparently shared with only a small number of officials outside the NSA.

The documents also indicate that the NSA has worked with several domestic and foreign companies to weaken encryption, something that isn't exactly news, but is revealed here to be far more extensive than the $10 million paid to RSA to push weakened encryption.

In addition to so-called “close access” operations, the NSA’s “core secrets” include the fact that the agency works with U.S. and foreign companies to weaken their encryption systems; the fact that the NSA spends “hundreds of millions of dollars” on technology to defeat commercial encryption; and the fact that the agency works with U.S. and foreign companies to penetrate computer networks, possibly without the knowledge of the host countries.

Underneath it all is a package of six programs, running under the title of Sentry Eagle. All of these are cybersecurity-related and work together to break encryption and "exploit networks." The program itself is highly secretive, even within the agency itself. [pdf link]

“You are being indoctrinated on Sentry Eagle,” the 2004 document begins, before going on to list the most highly classified aspects of its various programs. It warns that the details of the Sentry Eagle programs are to be shared with only a “limited number” of people, and even then only with the approval of one of a handful of senior intelligence officials, including the NSA director.

The document also makes reference to the fact that details of Sentry Eagle are only to be shared with "a limited number of select government officials," but doesn't go into any greater detail on who these officials might be. Nor is there any mention of additional oversight, like the FISA court or the two intelligence committees.

Presumably, the NSA is more focused on foreign companies than domestic ones and is perhaps even working in concert with local governments to improve surveillance capabilities (in exchange for being given unlimited access to the collected data). If this is true, then buying foreign products to avoid dealing with NSA-sabotaged goods and services is a futile effort. In the wake of Snowden's leaks, many foreign businesses have stated their intent to network and communication equipment/services from non-US companies. These documents imply there may be nowhere else to go.

from the because-of-course-it-was dept

You may recall that, back in 2012, Syria suddenly dropped off the face of the internet. It actually happened twice. There was all sorts of speculation about how it happened.

At the time, Cloudflare's analysis was one of the most thorough, noting that it almost certainly "was done through updates in router configurations" rather than a physical failure or a cable cut or something. Of course, everyone assumed that it was the Syrian government, trying to cut off access to the outside world.

One day an intelligence officer told him that TAO—a division of NSA hackers—had attempted in 2012 to remotely install an exploit in one of the core routers at a major Internet service provider in Syria, which was in the midst of a prolonged civil war. This would have given the NSA access to email and other Internet traffic from much of the country. But something went wrong, and the router was bricked instead—rendered totally inoperable. The failure of this router caused Syria to suddenly lose all connection to the Internet—although the public didn't know that the US government was responsible. (This is the first time the claim has been revealed.)

Inside the TAO operations center, the panicked government hackers had what Snowden calls an “oh shit” moment. They raced to remotely repair the router, desperate to cover their tracks and prevent the Syrians from discovering the sophisticated infiltration software used to access the network. But because the router was bricked, they were powerless to fix the problem.

Fortunately for the NSA, the Syrians were apparently more focused on restoring the nation’s Internet than on tracking down the cause of the outage. Back at TAO’s operations center, the tension was broken with a joke that contained more than a little truth: “If we get caught, we can always point the finger at Israel.”

Thus, it appears that Cloudflare's speculation that it was done as a router update was entirely correct -- just that no one realized it was the NSA that was updating the routers, rather than the Syrians.

from the not-us! dept

After Glenn Greenwald's book came out last week, one of the big stories was the additional revelations about the NSA's interdiction program -- in which the NSA grabs packages of computer equipment that are being shipped, outfits the equipment with backdoors -- and sends them along their shipping route as if nothing happened. Most famously, it included an image of it happening, showing a clear Cisco box:

Cisco has insisted publicly that it has nothing to do with this program and apparently complained directly to the President about this program, and how it harms their reputation. While some people doubt whether or not Cisco is being totally forthright, others wondered if perhaps it wasn't Cisco, but a third party, such as whoever ships Cisco's equipment. It turns out that company is often UPS, and Matthew Keys, writing for TheBlot, got UPS to vehemently deny assisting the NSA as well:

UPS, which Cisco has used since 1997 to ship hardware to customers around the world, said on Thursday that it did not voluntarily allow government officials to inspect its packages unless it is required to do so by law.

“UPS’ long-standing policy is to require a legal court-ordered process, such as a subpoena, before responding to any third-party requests,” UPS spokeswoman Kara Ross wrote in an e-mail to TheBlot Magazine. “UPS is not aware of any court orders from the NSA seeking to inspect technology-related shipments.”

In a follow-up e-mail, Ross said UPS had no knowledge of similar orders from the FBI, CIA or any other federal agency.

Keys also reached out to other popular shipping options, including the US Postal Service, FedEx and DHL. USPS says that they don't participate in any such NSA program (though, some may question the validity of that statement). FedEx and DHL appear to have simply ignored repeated requests for comment from Keys.

Of course, it's not impossible that there are other methods being used to get the equipment -- or that the folks who handle these "special" projects are kept way far away from any official spokesperson. Clearly, however, the NSA can get these packages, and now the doubt is going to spread across pretty much everyone in the logistics chain, no matter what they say.

from the NSA-vows-to-take-this-country-down-from-the-inside dept

One of the previously-unseen NSA documents released in conjunction with Glenn Greenwald's book, "No Place to Hide," contained this slide providing further details about the agency's interception of computer hardware.

As part of the NSA's Tailored Access Operations (TAO), shipments are grabbed en route and loaded up with physical spyware before they reach the end user. The slide notes that this "supply chain interdiction" is one of TAO's "most productive operations."

The people in the photo may have had their identities concealed, but there's no mistaking the logo and name on the side of the box. Here's a closer look:

As a matter of policy and practice, Cisco does not work with any government, including the United States Government, to weaken our products. When we learn of a security vulnerability, we respond by validating it, informing our customers, and fixing it. We react the same when we find that a customer’s security has been impacted by external forces, regardless of what country or form of government or how that security breach occurred. We offer customers robust tools to defend their environments against attack, and detect attacks when they are happening. By doing these things, we have built and maintained our customers’ trust. We expect our government to value and respect this trust.

That the NSA has done what it can to ensure Cisco's world dominance (via its Huawei-related espionage) is probably of little comfort at this point. Anyone looking to purchase Cisco equipment has probably decided to take their business elsewhere. Cisco expressed some concern about the NSA's detrimental effect on its overseas sales last November. This photo only makes that situation worse.

Warning of an erosion of confidence in the products of the U.S. technology industry, John Chambers, the CEO of networking giant Cisco Systems, has asked President Obama to intervene to curtail the surveillance activities of the National Security Agency.

In a letter dated May 15 (obtained by Re/code and reprinted in full below), Chambers asked Obama to create “new standards of conduct” regarding how the NSA carries out its spying operations around the world. The letter was first reported by The Financial Times.

Chambers goes even further than Cisco's counsel, decrying the NSA's tactics and the damage they're doing to his company's reputation.

“We simply cannot operate this way; our customers trust us to be able to deliver to their doorsteps products that meet the highest standards of integrity and security,” Chambers wrote. “We understand the real and significant threats that exist in this world, but we must also respect the industry’s relationship of trust with our customers.”

The NSA's self-destructive "no one can touch us" attitude is finally beginning to hurt it -- and everyone it affects. This revelation will chase customers -- including potential targets -- to companies they believe are out of the agency's reach. American companies will be able to offer no assurances that their products have been intercepted/sabotaged. The entire situation is beyond their control, but they'll be the ones ultimately paying the price for the NSA's overreach.

Another team (ANT -- Advanced or Access Network Technology) creates the exploits and "sells" them to the agency, providing access to communications and data that TAO can't achieve on its own.

In cases where TAO's usual hacking and data-skimming methods don't suffice, ANT workers step in with their special tools, penetrating networking equipment, monitoring mobile phones and computers and diverting or even modifying data. Such "implants," as they are referred to in NSA parlance, have played a considerable role in the intelligence agency's ability to establish a global covert network that operates alongside the Internet.

Some of the equipment available is quite inexpensive. A rigged monitor cable that allows "TAO personnel to see what is displayed on the targeted monitor," for example, is available for just $30. But an "active GSM base station" -- a tool that makes it possible to mimic a mobile phone tower and thus monitor cell phones -- costs a full $40,000. Computer bugging devices disguised as normal USB plugs, capable of sending and receiving data via radio undetected, are available in packs of 50 for over $1 million.

Between TAO and ANT, vast amounts of computer hardware have been compromised. Der Spiegel notes that ANT prefers to deploy its exploits at the BIOS level where they can remain undetected by most security and anti-virus programs. Other programs it creates hitch a ride in device firmware, including that of major American hard drive manufacturers like Western Digital, Seagate and Maxtor. (Apparently, Samsung and Huawei are similarly compromised, making them the only non-American companies listed in the documents.)

ANT also targets communications by compromising network equipment.

Other ANT programs target Internet routers meant for professional use or hardware firewalls intended to protect company networks from online attacks. Many digital attack weapons are "remotely installable" -- in other words, over the Internet. Others require a direct attack on an end-user device -- an "interdiction," as it is known in NSA jargon -- in order to install malware or bugging equipment.

It's unclear whether ANT provides exploits to other agencies, but the fact that a catalog exists suggests ANT isn't solely supplying the NSA. (If it is, one wonders why prices are listed. If it's internal development and deployment only, cost wouldn't be an issue.)

None of this should be taken to imply the TAO isn't perfectly capable of creating its own high-level exploits and backdoors. If anything, TAO is the more physical and aggressive counterpart to ANT, executing raids to achieve physical access to devices and networks (often with the assistance of the FBI -- or at least its vehicles).

An internal description of TAO's responsibilities makes clear that aggressive attacks are an explicit part of the unit's tasks. In other words, the NSA's hackers have been given a government mandate for their work. During the middle part of the last decade, the special unit succeeded in gaining access to 258 targets in 89 countries -- nearly everywhere in the world. In 2010, it conducted 279 operations worldwide…

To conduct those types of operations, the NSA works together with other intelligence agencies such as the CIA and FBI, which in turn maintain informants on location who are available to help with sensitive missions. This enables TAO to attack even isolated networks that aren't connected to the Internet. If necessary, the FBI can even make an agency-owned jet available to ferry the high-tech plumbers to their target. This gets them to their destination at the right time and can help them to disappear again undetected after as little as a half hour's work.

Even more disturbing, the NSA's TAO operation waylays purchased hardware en route to customers in order to install exploits.

If a target person, agency or company orders a new computer or related accessories, for example, TAO can divert the shipping delivery to its own secret workshops. The NSA calls this method interdiction. At these so-called "load stations," agents carefully open the package in order to load malware onto the electronics, or even install hardware components that can provide backdoor access for the intelligence agencies. All subsequent steps can then be conducted from the comfort of a remote computer.

The NSA's programs continue to make the world less safe for computer users under the guise of "security." Exploits go undiscovered and unpatched. Handcrafted exploits and backdoors are deployed without affected companies' knowledge. TAO has manipulated one of the most infamous Windows error messages in order to gain passive access to computers around the world.

The automated crash reports are a "neat way" to gain "passive access" to a machine, the presentation continues. [via XKEYSCORE, most likely.] Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer.

While not as directly useful as TAO and ANT's other tools, it still deployed frequently enough that the dialog box itself has become an agency inside joke.

[The altered text reads: "This information may be intercepted by a foreign SIGINT system to gather detailed information and better exploit your machine."]

These new revelations will only give foreign customers even more reasons to distrust American hardware. Der Spiegel's article notes that Samsung and Huawei hardware may be similarly compromised, but by and large, most of the "damage" seems to be domestic. Estimates have suggested American companies will potentially lose $150+ billion as a result of the NSA's actions. This should push that number even higher.

The question that needs to be asked is if this damage is worth it. The agency likely believes it is -- or at least believes it shouldn't be held responsible for tanking the overseas prospects of American tech companies. According to its defenders, the real problem here is the leaks, not the exploitation of every piece of hardware and software it can get its hands on. After all, if Snowden hadn't taken those documents, this would still be a secret and foreign companies will still be purchasing compromised goods from US companies.

The NSA has never seriously considered the consequences of its activities being exposed. This should have been factored in when considering the "costs" of programs like these. Nothing operates in a vacuum, not even the most secretive of agencies. Frankly, the level of exploitation exposed here verges on inconceivable. Any crying agency spokespersons have done about methods being exposed now looks like nothing more than diversionary noises delivered with poker faces. The agency has "root access." The rest is just skimming the surface.